Re: layer2 ipfw 'fwd' support
On Thu, Oct 7, 2010 at 10:23 PM, Eduardo Meyer dudu.me...@gmail.com wrote:
On Thu, Oct 7, 2010 at 12:19 AM, Julian Elischer jul...@freebsd.org wrote:
On 10/6/10 12:06 PM, Eduardo Meyer wrote:
On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischerjul...@freebsd.org
wrote:
On 10/5/10 12:56 PM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischerjul...@freebsd.org
wrote:
On 10/4/10 12:18 PM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischerjul...@freebsd.org
wrote:
On 10/4/10 10:16 AM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch
jamesbrandongo...@gmail.com wrote:
On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyerdudu.me...@gmail.com
wrote:
Hello,
In the past I have used this patch by Luigi Rizzo, which helped me
well.
http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html
I tried with a friend to port it to -STABLE, but we were not able
to
find out what has replaced mt_tag. Also on ip_input.c we dirty
hacked
to following piece of code:
#ifdef IPFIREWALL_FORWARD
if (m-m_flags M_FASTFWD_OURS) {
m-m_flags= ~M_FASTFWD_OURS;
goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT
HERE
*/
}
if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) !=
NULL))
!= 0) {
/*
* Directly ship the packet on. This allows
forwarding
* packets originally destined to us to some other
directly
* connected host.
*/
ip_forward(m, dchg);
return;
}
#endif /* IPFIREWALL_FORWARD */
And this is something we are not sure if its correct.
So my very obvious question is:
Does anyone has a recent version of this patch to share?
Can anyone familiar with ipfw source code help me with that?
I'm certainly not an expert, but I wonder if the patch your
referring
to is still required? Can you provide more detail about your
particular application?
-Brandon
Yes, its still required since ipfw fwd ignores layer2 frames.
The application is the very same: squid. I mean, Lusca in fact
(squid
fork).
Thank you for your interest.
Cisco/Ironport have a patch that does this..
I had permission to bring it back when I worked there but never got
it
committed.
Adrian, was it part of the set I gave you?
Hello Elischer,
Was this made public?
I hope Chadd has some good news. In fact I tent to use with Lusca in
tproxy mode. I bet this is the only missing piece of software.
I just dug up my old changes.
do you want to fwd from a bridge? or what?
(it makes a difference what patches are needed)
If you want to fwd from a bridge to make a transparent layer 2 proxy,
this
may help..
Here are parts of it that may be relevent:
these are old (2007 I think) but may be of use still.
adrian had the full set at
==quote adrian=
The stuff is in p4 now, but I haven't tested it out at all.
//depo/projects/adrian_spoof_clientip/ I -think-.
== end quote===
Index: net/if_bridge.c
===
RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v
retrieving revision 1.107
diff -u -r1.107 if_bridge.c
--- net/if_bridge.c 6 Nov 2007 23:01:42 - 1.107
+++ net/if_bridge.c 28 Nov 2007 06:59:10 -
@@ -2908,6 +2908,11 @@
struct ip *ip;
struct llc llc1;
u_int16_t ether_type;
+ int is_ip = 0;
+#ifdef IPFIREWALL_FORWARD
+ struct m_tag *fwd_tag;
+#endif
+
snap = 0;
error = -1; /* Default error if not error == 0 */
@@ -2967,6 +2972,7 @@
#ifdef INET6
case ETHERTYPE_IPV6:
#endif /* INET6 */
+ is_ip = 1;
break;
default:
/*
@@ -3024,6 +3030,30 @@
if (*mp == NULL)
return (error);
+
+#ifdef IPFIREWALL_FORWARD
+ /*
+ * Did the firewall want to forward it somewhere?
+ * If so, let the ip stack handle it.
+ */
+ if (i == 0 args.next_hop != NULL
+ is_ip /* src != NULL */) {
+
+ fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD,
+ sizeof(struct sockaddr_in),
M_NOWAIT);
+ if (fwd_tag == NULL)
+ goto drop;
+ bcopy(args.next_hop, (fwd_tag+1),
+ sizeof(struct sockaddr_in));
+ m_tag_prepend(*mp, fwd_tag);
+
+ if (in_localip(args.next_hop-sin_addr))
+ (*mp)-m_flags |= M_FASTFWD_OURS;
+ ether_demux(src, *mp);
+ return (NULL);
+ }
+#endif
Re: layer2 ipfw 'fwd' support
On Thu, Oct 7, 2010 at 12:19 AM, Julian Elischer jul...@freebsd.org wrote:
On 10/6/10 12:06 PM, Eduardo Meyer wrote:
On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischerjul...@freebsd.org
wrote:
On 10/5/10 12:56 PM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischerjul...@freebsd.org
wrote:
On 10/4/10 12:18 PM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischerjul...@freebsd.org
wrote:
On 10/4/10 10:16 AM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch
jamesbrandongo...@gmail.com wrote:
On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyerdudu.me...@gmail.com
wrote:
Hello,
In the past I have used this patch by Luigi Rizzo, which helped me
well.
http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html
I tried with a friend to port it to -STABLE, but we were not able
to
find out what has replaced mt_tag. Also on ip_input.c we dirty
hacked
to following piece of code:
#ifdef IPFIREWALL_FORWARD
if (m-m_flags M_FASTFWD_OURS) {
m-m_flags= ~M_FASTFWD_OURS;
goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT
HERE
*/
}
if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) !=
NULL))
!= 0) {
/*
* Directly ship the packet on. This allows
forwarding
* packets originally destined to us to some other
directly
* connected host.
*/
ip_forward(m, dchg);
return;
}
#endif /* IPFIREWALL_FORWARD */
And this is something we are not sure if its correct.
So my very obvious question is:
Does anyone has a recent version of this patch to share?
Can anyone familiar with ipfw source code help me with that?
I'm certainly not an expert, but I wonder if the patch your
referring
to is still required? Can you provide more detail about your
particular application?
-Brandon
Yes, its still required since ipfw fwd ignores layer2 frames.
The application is the very same: squid. I mean, Lusca in fact
(squid
fork).
Thank you for your interest.
Cisco/Ironport have a patch that does this..
I had permission to bring it back when I worked there but never got
it
committed.
Adrian, was it part of the set I gave you?
Hello Elischer,
Was this made public?
I hope Chadd has some good news. In fact I tent to use with Lusca in
tproxy mode. I bet this is the only missing piece of software.
I just dug up my old changes.
do you want to fwd from a bridge? or what?
(it makes a difference what patches are needed)
If you want to fwd from a bridge to make a transparent layer 2 proxy,
this
may help..
Here are parts of it that may be relevent:
these are old (2007 I think) but may be of use still.
adrian had the full set at
==quote adrian=
The stuff is in p4 now, but I haven't tested it out at all.
//depo/projects/adrian_spoof_clientip/ I -think-.
== end quote===
Index: net/if_bridge.c
===
RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v
retrieving revision 1.107
diff -u -r1.107 if_bridge.c
--- net/if_bridge.c 6 Nov 2007 23:01:42 - 1.107
+++ net/if_bridge.c 28 Nov 2007 06:59:10 -
@@ -2908,6 +2908,11 @@
struct ip *ip;
struct llc llc1;
u_int16_t ether_type;
+ int is_ip = 0;
+#ifdef IPFIREWALL_FORWARD
+ struct m_tag *fwd_tag;
+#endif
+
snap = 0;
error = -1; /* Default error if not error == 0 */
@@ -2967,6 +2972,7 @@
#ifdef INET6
case ETHERTYPE_IPV6:
#endif /* INET6 */
+ is_ip = 1;
break;
default:
/*
@@ -3024,6 +3030,30 @@
if (*mp == NULL)
return (error);
+
+#ifdef IPFIREWALL_FORWARD
+ /*
+ * Did the firewall want to forward it somewhere?
+ * If so, let the ip stack handle it.
+ */
+ if (i == 0 args.next_hop != NULL
+ is_ip /* src != NULL */) {
+
+ fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD,
+ sizeof(struct sockaddr_in),
M_NOWAIT);
+ if (fwd_tag == NULL)
+ goto drop;
+ bcopy(args.next_hop, (fwd_tag+1),
+ sizeof(struct sockaddr_in));
+ m_tag_prepend(*mp, fwd_tag);
+
+ if (in_localip(args.next_hop-sin_addr))
+ (*mp)-m_flags |= M_FASTFWD_OURS;
+ ether_demux(src, *mp);
+ return (NULL);
+ }
+#endif
+
if (DUMMYNET_LOADED (i == IP_FW_DUMMYNET
Re: layer2 ipfw 'fwd' support
On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer jul...@freebsd.org wrote:
On 10/4/10 12:18 PM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischerjul...@freebsd.org
wrote:
On 10/4/10 10:16 AM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch
jamesbrandongo...@gmail.com wrote:
On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyerdudu.me...@gmail.com
wrote:
Hello,
In the past I have used this patch by Luigi Rizzo, which helped me
well.
http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html
I tried with a friend to port it to -STABLE, but we were not able to
find out what has replaced mt_tag. Also on ip_input.c we dirty hacked
to following piece of code:
#ifdef IPFIREWALL_FORWARD
if (m-m_flags M_FASTFWD_OURS) {
m-m_flags= ~M_FASTFWD_OURS;
goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE
*/
}
if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) !=
NULL))
!= 0) {
/*
* Directly ship the packet on. This allows forwarding
* packets originally destined to us to some other
directly
* connected host.
*/
ip_forward(m, dchg);
return;
}
#endif /* IPFIREWALL_FORWARD */
And this is something we are not sure if its correct.
So my very obvious question is:
Does anyone has a recent version of this patch to share?
Can anyone familiar with ipfw source code help me with that?
I'm certainly not an expert, but I wonder if the patch your referring
to is still required? Can you provide more detail about your
particular application?
-Brandon
Yes, its still required since ipfw fwd ignores layer2 frames.
The application is the very same: squid. I mean, Lusca in fact (squid
fork).
Thank you for your interest.
Cisco/Ironport have a patch that does this..
I had permission to bring it back when I worked there but never got it
committed.
Adrian, was it part of the set I gave you?
Hello Elischer,
Was this made public?
I hope Chadd has some good news. In fact I tent to use with Lusca in
tproxy mode. I bet this is the only missing piece of software.
I just dug up my old changes.
do you want to fwd from a bridge? or what?
(it makes a difference what patches are needed)
If you want to fwd from a bridge to make a transparent layer 2 proxy, this
may help..
Here are parts of it that may be relevent:
these are old (2007 I think) but may be of use still.
adrian had the full set at
==quote adrian=
The stuff is in p4 now, but I haven't tested it out at all.
//depo/projects/adrian_spoof_clientip/ I -think-.
== end quote===
Index: net/if_bridge.c
===
RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v
retrieving revision 1.107
diff -u -r1.107 if_bridge.c
--- net/if_bridge.c 6 Nov 2007 23:01:42 - 1.107
+++ net/if_bridge.c 28 Nov 2007 06:59:10 -
@@ -2908,6 +2908,11 @@
struct ip *ip;
struct llc llc1;
u_int16_t ether_type;
+ int is_ip = 0;
+#ifdef IPFIREWALL_FORWARD
+ struct m_tag *fwd_tag;
+#endif
+
snap = 0;
error = -1; /* Default error if not error == 0 */
@@ -2967,6 +2972,7 @@
#ifdef INET6
case ETHERTYPE_IPV6:
#endif /* INET6 */
+ is_ip = 1;
break;
default:
/*
@@ -3024,6 +3030,30 @@
if (*mp == NULL)
return (error);
+
+#ifdef IPFIREWALL_FORWARD
+ /*
+ * Did the firewall want to forward it somewhere?
+ * If so, let the ip stack handle it.
+ */
+ if (i == 0 args.next_hop != NULL
+ is_ip /* src != NULL */) {
+
+ fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD,
+ sizeof(struct sockaddr_in),
M_NOWAIT);
+ if (fwd_tag == NULL)
+ goto drop;
+ bcopy(args.next_hop, (fwd_tag+1),
+ sizeof(struct sockaddr_in));
+ m_tag_prepend(*mp, fwd_tag);
+
+ if (in_localip(args.next_hop-sin_addr))
+ (*mp)-m_flags |= M_FASTFWD_OURS;
+ ether_demux(src, *mp);
+ return (NULL);
+ }
+#endif
+
if (DUMMYNET_LOADED (i == IP_FW_DUMMYNET)) {
==
Index: netinet/ip_fw2.c
===
RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.178
diff -u -r1.178 ip_fw2.c
--- netinet/ip_fw2.c 28 Oct 2007 17:12:47 -
Re: layer2 ipfw 'fwd' support
On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch
jamesbrandongo...@gmail.com wrote:
On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer dudu.me...@gmail.com wrote:
Hello,
In the past I have used this patch by Luigi Rizzo, which helped me well.
http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html
I tried with a friend to port it to -STABLE, but we were not able to
find out what has replaced mt_tag. Also on ip_input.c we dirty hacked
to following piece of code:
#ifdef IPFIREWALL_FORWARD
if (m-m_flags M_FASTFWD_OURS) {
m-m_flags = ~M_FASTFWD_OURS;
goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE */
}
if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) !=
0) {
/*
* Directly ship the packet on. This allows forwarding
* packets originally destined to us to some other directly
* connected host.
*/
ip_forward(m, dchg);
return;
}
#endif /* IPFIREWALL_FORWARD */
And this is something we are not sure if its correct.
So my very obvious question is:
Does anyone has a recent version of this patch to share?
Can anyone familiar with ipfw source code help me with that?
I'm certainly not an expert, but I wonder if the patch your referring
to is still required? Can you provide more detail about your
particular application?
-Brandon
Yes, its still required since ipfw fwd ignores layer2 frames.
The application is the very same: squid. I mean, Lusca in fact (squid fork).
Thank you for your interest.
--
===
Eduardo Meyer
pessoal: dudu.me...@gmail.com
profissional: ddm.farmac...@saude.gov.br
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: All I have is one packet!
On 8/8/07, Vadim Goncharov [EMAIL PROTECTED] wrote:
06.08.07 @ 23:05 Eduardo Meyer wrote:
I have tried, for many weeks, ng_tag to tag packets for ipfw
filtering. I could make it work fine. However, I have one problem. I
want to make a state that will match any packet, on any protocol,
between the peers. Why? Because all I have, is one packet. And this
packet however, wont always be in the same transport protocol.
For example, I can identify session initialization on TCP packets, but
once initialized, all communication between peers happen via UDP.
I know such a thing dont exist in ipfw. However, I would like to know
if someone can suggest changes to the code that would do this. Would
also be great if I could have a sysctl OID to tune state-timing of
this unusual behavior, differently from the existing sysctl mibs on
dyn stuff on ipfw.
Every suggestion on a feature like that, would be appreciated.
Yes, dynamic rules in ipfw are not intended for supporting state created
in the middle of the session, wuth the default sysctl settings it will be
kept for 1 second (which, however, is enough for shaping of fast
transfers). I think, precise controlling of dynamic rules from both
userland and kernel should be added to ipfw, to modify existing rules on
the fly (or even more features, like pfsync). As a hackish dirty
workaround, may be it should be only one keyword, something like
keep-state-middle, to create normal dynamic rule without initial SYNs.
But you've said about even more complex behaviour, like init on TCP,
continue with UDP. That's difficult to implement in kernel, and may be
even not suitable for ipfw. Currently (I think), you can try to emulate
this behaviour by divert'ing tagged by ng_tag packet to userland program,
like snort_inline (from ports collection) with needed scripting, which
will trigger adding proper rules to firewall (you should also care about
expiring that connection on SYNs and RSTs, though).
That's exactly the point. However, from a simplistic and probably
ignorant point of view on this matter, like mine, I believed it to be
in fact a much more simple state, which would only compare IP
addresses (src-dst) for the match, so I could just
ipfw add X allow { tcp or udp } from any to any keep-iponly-state tagged Y
It would be helpfull with many protocols which in fact use a transport
proto (like TCP) to do actual session initialization while using
another transport proto (UDP, DDP, whatever) for the real traffic;
many things do this nowadays;
Would such a feature be possible?
--
===
Eduardo Meyer
pessoal: [EMAIL PROTECTED]
profissional: [EMAIL PROTECTED]
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
All I have is one packet!
Hello ipfw users and hackers. I have tried, for many weeks, ng_tag to tag packets for ipfw filtering. I could make it work fine. However, I have one problem. I want to make a state that will match any packet, on any protocol, between the peers. Why? Because all I have, is one packet. And this packet however, wont always be in the same transport protocol. For example, I can identify session initialization on TCP packets, but once initialized, all communication between peers happen via UDP. I know such a thing dont exist in ipfw. However, I would like to know if someone can suggest changes to the code that would do this. Would also be great if I could have a sysctl OID to tune state-timing of this unusual behavior, differently from the existing sysctl mibs on dyn stuff on ipfw. Every suggestion on a feature like that, would be appreciated. -- === Eduardo Meyer pessoal: [EMAIL PROTECTED] profissional: [EMAIL PROTECTED] ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw tag and ng_tag
Hello,
Finally with -BETA2 I can try ng_tag and ipfw tag.
I have a certain unusual need to filter DNS queries which return
NXDomain. Before filtering, I will make some cacti graphs. So I need
to count packets with NXDomain expression on Layer 7.
With tcpdump -X I can see that NXDomain alwas shows up perfectly, so
this is the kind of L7 pattern which will be safe to filter. With
hexdump(1) I found out the hex sequence for NXDomain expression to be:
4e 58 44 6f 6d 61 69 6e 0a
I have the needed kernel modules loaded. What should I do next? I know
I am supposed to create a ng_bpf pattern, similar to
PATTERN=(ether[40:4]=0x134e5844
ether[44:4]=0x6f6d6169
ether[48:4]=0x6e0a)
I did it, and execute it in the following script:
PATTERN=(ether[40:4]=0x134e5844
ether[44:4]=0x6f6d6169
ether[48:4]=0x6e0a)
NODEPATH=my_node:
INHOOK=hook1
MATCHHOOK=hook2
NOTMATCHHOOK=hook3
cat /tmp/bpf.awk xxENDxx
{
if (!init) {
printf bpf_prog_len=%d bpf_prog=[, \$1;
init=1;
} else {
printf { code=%d jt=%d jf=%d k=%d }, \$1, \$2, \$3, \$4;
}
}
END {
print ]
}
xxENDxx
BPFPROG=`tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk`
ngctl msg ${NODEPATH} setprogram { thisHook=\${INHOOK}\ \
ifMatch=\${MATCHHOOK}\ \
ifNotMatch=\${NOTMATCHHOOK}\ \
${BPFPROG} } }
BUT,
Here I get my first problem. Script returns:
ngctl: send msg: No such file or directory
I printed the full commands that returns the error, it is:
ngctl msg setprogram { thisHook= ifMatch= ifNotMatch=
bpf_prog_len=8 bpf_prog=[ { code=32 jt=0 jf=0 k=40 } { code=21 jt=0
jf=5 k=323901508 } { code=32 jt=0 jf=0 k=44 } { code=21 jt=0 jf=3
k=1869439337 } { code=32 jt=0 jf=0 k=48 } { code=21 jt=0 jf=1 k=28170
} { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0 k=0 } ] } }
Running tcpdump -s 8192 -ddd $PATTERN manually I get:
8
32 0 0 40
21 0 5 323901508
32 0 0 44
21 0 3 1869439337
32 0 0 48
21 0 1 28170
6 0 0 8192
6 0 0 0
Which looks that the ngctl data (code, kt, jf and k) are correct. But
the command returns that error for some reason. The script was taken
from ng_blf(4) man page.
I am all new to this netgraph thing, and I couldnt even get to the
ng_tag phase (stopped in ng_bpf).
I would like to have your help to work it out, please. Thank you.
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
